Release Notes for Cisco Security MARS Appliance 6.0.1
Published Date: September 14, 2008Revised Date:July 24, 2009
Note We sometimes update the printed and electronic documentation after original publication. Therefore, you should also review the documentation on Cisco.com for any updates.
These release notes are for use with the Cisco Security Monitoring, Analysis, and Response System (MARS), Release 6.0.1 running on any supported Local Controller or Global Controller as defined in Supported Hardware, page 2.
This chapter contains the following topics:
• Introduction, page 1
• Supported Hardware, page 2
• New Features, page 2
• Upgrade Instructions, page 5
• Documentation Errata, page 7
• Important Notes, page 8
• Caveats, page 9
• Product Documentation, page 38
• Obtaining Documentation, Obtaining Support, and Security Guidelines, page 39
IntroductionRelease 6.0.1 is now available as an upgrade of 5.3.6 and 4.3.6 of your software release in support of the second generation MARS Appliance models as identified in Supported Hardware, page 2. Registered SMARTnet users can obtain release 6.0.1 from the Cisco support website at:
http://www.cisco.com/go/mars/
Americas Headquarters:
© <year> Cisco Systems, Inc. All rights reserved.
Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA
Supported Hardware
And then click the Download Software link in the Support box on the right side of the MARS product home page.
Supported HardwareRelease 6.0.1 supports the following Cisco Security MARS Appliance models:
Local Controller Appliances: 2nd Generation
• Cisco Security MARS 25R (CS-MARS-25R-K9)
• Cisco Security MARS 25 (CS-MARS-25-K9)
• Cisco Security MARS 55 (CS-MARS-55-K9)
• Cisco Security MARS 110R (CS-MARS-110R-K9)
• Cisco Security MARS 110 (CS-MARS-110-K9)
• Cisco Security MARS 210 (CS-MARS-210-K9)
Local Controller Appliances: 1st Generation
• Cisco Security MARS 20R (CS-MARS-20R-K9)
• Cisco Security MARS 20 (CS-MARS-20-K9)
• Cisco Security MARS 50 (CS-MARS-50-K9)
• Cisco Security MARS 100e (CS-MARS-100E-K9)
• Cisco Security MARS 100 (CS-MARS-100-K9)
• Cisco Security MARS 200 (CS-MARS-200-K9)
Global Controller Appliances: 2nd Generation
• Cisco Security MARS GC2R (CS-MARS-GC2R-K9)
• Cisco Security MARS GC2 (CS-MARS-GC2-K9)
Global Controller Appliances: 1st Generation
• Cisco Security MARS GCR (CS-MARS-GCR-K9)
• Cisco Security MARS GC (CS-MARS-GC-K9)
New FeaturesIn addition to resolved caveats, this release includes the following new features:
This section contains the following topics:
• Miscellaneous Changes and Enhancements, page 2
• New Vendor Signatures, page 4
Miscellaneous Changes and EnhancementsThe following changes and enhancements exist in 6.0.1:
2Release Notes for Cisco Security MARS Appliance 6.0.1
OL-MARS-RN
New Features
• Consolidated Software Release—This software release, 6.0.1, runs on any MARS Appliance model that has shipped prior to June 2008 (1st and 2nd generation appliances). This change allows you to manage your future upgrade processes uniformly, rather than managing a 4.x and 5.x image separately.
You can now migrate a MARS Appliance from 4.x to 6.0.1, as well as upgrade from 5.3.6 to 6.0.1. For details on migrating from 4.x to 6.0.1, see Migrating Data from Cisco Security MARS 4.x to 6.0.1
• Upgrade Management—The ability to pull updates from the Cisco Software Downloads site or an internal server and apply them consistency across the MARS appliance on your network. Whether operating as a standalone Local Controller, or via a managed upgrade performed by the Global Controller, MARS now simplifies this operation and identifies the type of upgrade that has been downloaded (system upgrade verses signature updates). Includes support for on-demand and scheduled upgrades.
• Device Support Framework—This feature enables the definition, export, and import of packages that describe a new device type. Specifically, it defines the device type, event parsing rules, inspection rules, and reports. You can export and reuse these packages across multiple Local Controllers and Global Controllers.
• Cisco IPS TR/RR Support—This feature includes support for threat rating (TR) and risk rating (RR) attributes found in Cisco IPS solutions. Specifically, it adds two additional columns to inspection rules and event details: IPS Risk Rating and IPS Threat Rating. These new columns also appear in the "All Matching Events" query and report, as well as the CSV export form of the report.
In inspection rules, you can specify one of the following values for the IPS Risk Rating and the IPS Threat Rating attributes:
– Match any event—Matches events with or without rating (ignore this field).
– Match events without a Rating—Matches only those events without a rating.
– Match events with a Rating—Allows you to specify a range of values or to select equal to, not equal to, greater than, lesser than, greater than or equal to, and lesser than or equal to and then specify the value.
Select the check box under the option to also include events without a rating.
Note You can only perform an event query. There is no session query or LLV support for IPS RR/TR.
The following exceptions exist to this feature support:
– CSCso60975—In a query for All Matching Sessions, the IPS TR and IPS RR columns are missing in the results.
– CSCso60384—In a query for All Matching Events LLV raw events, the IPS TR and IPS RR columns do not appear in the results. The IPS TR and IPS RR columns are present for the LLV sessionized events query.
– CSCso64832—For the query results All Matching Sessions - Custom Columns, the IPS TR and RR fields are not included in the pull down options.
• Support for Internet Explorer 7.x—The MARS web interface is verified to run correctly on Microsoft® Internet Explorer 7.x.
• New Cisco Device Support—Support for the following new device types or versions is included:
– IOS 12.4(6)T - Zone-based Firewall
3Release Notes for Cisco Security MARS Appliance 6.0.1
OL-MARS-RN
New Features
– Cisco IPS 6.x virtual sensor support
– ASA/PIX 7.2.3 and 7.2.4
– ASA/PIX 8.0.3
– ASA 8.1/5580 with NetFlow 9 support
– Cisco Secure Access Control Server 4.1.3
– FWSM 3.1.8
– CSC-SSM 6.1 and 6.2
– Cisco Clean Air 4.1.3
– Cisco WLAN 5.0
– Cisco Security Agent 6.0
• New 3rd-Party Device Support—Support for the following new device types or versions is included:
– Juniper Netscreen FW 5.4 and 6.0
– McAfee Foundstone 5.0 and 6.0
– McAfee ePolicy Orchestrator 3.6.x and 4.0 (McAfee AntiVirus 8.x supported through ePO)
– McAfee Intrushield 4.1
• CSV Export Enhancements—Now export of reports beginning with #s is supported.
• Rule Enhancements—Rules can now be deleted, and the audit log of which user deleted the rule is maintained by MARS. Rule now support up to 20 keywords. You can no longer create rules without defining a name for the rule. You can apply the Change Status action to multiple rules at the same time.
• Performance Enhancement for Batch Queries and Reports—This enhancement reduces the time require to generate batch queries and reports in many situations. As a result, you may notice that many batch queries and reports take significantly less time to complete. (CSCsm39521)
• Performance Enhancement for Inline Queries, Batch Queries and Reports—This enhancement reduces the time required to generate queries and reports in many situations. As a result, you may notice that many queries and reports take significantly less time to complete. (CSCsm22541)
New Vendor SignaturesThe following table describes the most recent signatures supported for each product or technology:
Tip For full details on supported devices and versions, see Supported and Interoperable Devices and Software for Cisco Security MARS Local Controller 6.0.x.
Revised in 6.0.1 Product Signature Version Supported
Intrusion Prevention and Detection Signatures
Yes Cisco IDS 4.0, Cisco IPS 5.x,Cisco IPS 6.x Cisco IOS 12.2
Current through S330 signature release.
4Release Notes for Cisco Security MARS Appliance 6.0.1
OL-MARS-RN
Upgrade Instructions
1 eEye REM 1.0 is supported in 4.2.x.
Upgrade InstructionsThe MARS upgrade packages are the primary vehicle for major, minor, and patch software releases. As administrator of the MARS Appliance, you should check the upgrade site regularly for patch upgrades. In addition to addressing high-priority caveats, patch upgrade packages update system inspection rules, event types, and provide the most recent signature support.
For detailed instructions on planning and performing an upgrade or install, refer to "Checklist for Upgrading the Appliance Software" in the Cisco Security MARS Initial Configuration and Upgrade Guide.
Yes Snort NIDS 2.8 Current through the August 12, 2008 signature release.Latest signature mapped: 13953.
Yes ISS RealSecure Network Sensor 6.5 and 7.0, and ISS RealSecure Server Sensor 6.5 and 7.0
XPU 28.130 Release date: August 12, 2008
Yes McAfee IntruShield 4.1 4.1.30.4 Release date: August 12, 2008
Yes McAfee Entercept HIDS 2.5, 4.0, 6.x Current through the August 4, 2008 signature release.
Yes CheckPoint Application Intelligence (VPN-1 NG with Application Intelligence R55)
Current through the August 12, 2008 signature release.
Yes Netscreen IDP 2.1, 3.0, 3.1, 4.0, 4.1 Signature version: 4.1. Release date: August 11, 2008
Yes Symantec NIDS, v 4.0 Signature package: 95Release date: June 12, 2008
Yes Enterasys Dragon 6.x, 7.x Current through the August 13, 2008 signature release.
No. EOS. Symantec Manhunt 3.x (See Symantec NIDS, v 4.0.) 3.4.3 Update 59
3.4.3 Update 59 Current through the May 24, 2007 signature release.
Vulnerability Scanner Signatures
Yes Qualys Guard ANY Current through the August 12, 2008 signature release.
Yes E-Eye, Retina Scanner Vulnerability Software, version 5.6New Vendor Signatures,
page 4
Current through the August 11, 2008 signature release.
Yes Foundstone, version 3.x Current through the August 11, 2008 signature release.
Yes Common Vulnerabilities and Exposures (CVE) Database
Current with the August 13, 2008 definition update.
Miscellaneous Support
No Oracle 11g Support for new AUDIT_ACTIONS.
Revised in 6.0.1 Product Signature Version Supported
5Release Notes for Cisco Security MARS Appliance 6.0.1
OL-MARS-RN
Upgrade Instructions
Important Upgrade NotesTo ensure that the upgrade from earlier releases is trouble free, this section contains the notes provided in previous releases according the release number. Please refer to the notes that pertain to the release you are upgrading from and any releases following that one.
General Notes
The MARS Appliance performs a file system consistency check (fsck) on all disks when either of the following conditions is met:
• If the system has not been rebooted during the past 180 days.
• If the system has been rebooted 30 times.
The fsck operation takes a long time to complete, which can result in significant unplanned downtime when rebooting the system after meeting a condition above. For example, a MARS 50 appliance can take up to 90 minutes to perform the operation.
Upgrade to 6.0.1
The upgrade process to 6.0.1 differs based on the release you are upgrading from. If you are upgrading a 5.x release, then you can upgrade to 6.0.1 if you are running 5.3.6. The upgrade from 5.3.6 to 6.0.1 takes several hours, as it also upgrades the Oracle database running on the appliance. If you are running an earlier 5.x version, you must first upgrade to 5.3.6 (see Upgrade to 5.3.6, page 6 for details).
However, if you are upgrading a 4.x release, you must migrate the system instead of upgrading. To migrate from a 4.x, you must follow the step-by-step instructions specified in the Migrating Data from Cisco Security MARS 4.x to 6.0.1.
Note When upgrading a "restricted" model of MARS appliance (20R, 100e, or GCm) to MARS Software release 6.0.1, all limits enforced by the restricted model will be ignored. The "restricted" models will perform as unrestricted models (20, 100, or GC) once upgraded to release 6.0.1.
Upgrade to 5.3.6
For notes that are specific to the upgrade to the 5.3.6 release, as well as all previous 5.x releases, see the Release Notes for Cisco Security MARS Appliance 5.3.6.
Upgrade to 4.3.6
For notes that are specific to the upgrade to the 4.3.6 release, as well as all previous 4.x releases, see the Release Notes for Cisco Security MARS Appliance 4.3.6.
Upgrade Path MatrixWhen upgrading from one software release to another, a prerequisite release is always required. This prerequisite release is the minimum level required to be running on the appliance before you can upgrade to the most recent release. Table 1 on page 7 identifies the upgrade path that you must follow to reach the minimum level required to upgrade to current release.
6Release Notes for Cisco Security MARS Appliance 6.0.1
OL-MARS-RN
Documentation Errata
Downloading the Upgrade Package from CCOUpgrade images and supporting software are found on the CCO software download pages dedicated to MARS. You can access these pages at the following URLs, assuming you have a valid CCO account and that you have registered your SMARTnet contract number for your MARS Appliance.
Top-level page:
http://www.cisco.com/go/mars/
And then click the Download Software link in the Support box on the right side of the MARS product home page.
Result; The Download Software page loads.
From this top-level page, you can select one of the following options:
• CS-MARS IPS Signature Updates Archives
• CS-MARS IPS Signature Updates
• CS-MARS Patches and Utilities (supplementary files)
• CS-MARS Recovery Software
• CS-MARS Upgrade Packages
Note If you are upgrading from a release earlier than those posted on CCO, please contact Cisco support for information on obtaining the required images. Do not attempt to skip releases along the upgrade path.
For information on obtaining a CCO account, see the following URL:
• http://www.cisco.com/en/US/applicat/cdcrgstr/applications_overview.html
Documentation Errata• CSCsl14244. User guide does not discuss role of Nessus in the MARS system.
To determine whether specific incidents are false positives, MARS uses Nessus 2.x GPL plug-ins and custom scripts mapped to specific MARS event types. MARS does not use Nessus to perform vulnerability assessments or related reporting.
MARS uses Nessus as one component in determining false positives. When a host resides on a network listed under "Networks for Dynamic Vulnerability Scanning", then MARS uses Nessus to help ascertain whether an attack targeting that host was likely to be successful. When an event does
Table 1 Upgrade Path Matrix
From Release Upgrade To Upgrade Package
4.3.6 6.0.1 Migration required. See Migrating Data from Cisco Security MARS 4.x to 6.0.1
5.3.6 6.0.1 csmars-6.0.1.pkg
7Release Notes for Cisco Security MARS Appliance 6.0.1
OL-MARS-RN
Important Notes
not have corresponding Nessus Attack Scripting Language (NASL) script, MARS uses nmap OS fingerprinting to determine the destination operating system type, and uses nmap-found-OS to match known operating systems affected by the attack.
• CSCsk77546. Discovery Device with SSH 512 module not supported.
The OpenSSH client used by MARS does not support modulus sizes smaller than 768. For example, you cannot discover a device using a SSH login that has 512-byte key.
Important NotesThe following notes apply to the MARS 6.0.x releases:
• CSCsu50839—Report Result Page saves the previous "Other views" selection
If you change the "Other Views" options in the report result page, the changes persist for that report and for that browser. When the report results are viewed later, the browser shows the saved options but the results displayed are always the default options results.
To avoid this issue, always click Display Report to view a scheduled report’s results.
• If the client system used to access the MARS GUI is not on the same side of the NAT boundary as the a MARS appliance and the Security Manager server, you can perform policy lookup in read-only mode. However, you cannot start the Security Manager client from the read-only policy lookup table to modify matching policies. The Security Manager client must be on the same side of the NAT as the MARS appliance and the Security Manager server if you want to modify the matching policy from MARS. This restriction is also true if you want to query MARS events from policies.
• The performance of the Summary Page degrades when too many reports are added under My Reports. The smaller the number of reports under My Reports, the faster the Summary page loads. To ensure adequate performance, limit the number of reports to 6. This issue is partially described in CSCse18865.
• Do not to use DISTINCT or SAME in queries, and do not run multi-line queries in Release x.3.4 through 6.0.1. If you run such a query, the system time outs after 20 minutes without returning any results. The message “Timeout Occurred” appears instead. You can use DISTINCT and SAME in a Query to create a rule with the Query interface.
• For Symantec AntiVirus, the Symantec agent hostname (AV client computer name) appears in the “Reported User” column of the event data. Therefore, you can define a query, report or rule related to this agent based on the “Reported User” value.interface. For
• The False Positive and Query pages (multi-column result format) have changed. You can now query on firing events that triggered false positives within a time interval. Such queries will render events that did not appear on the False Positive page. To ensure performance, the False Positive page only displays false positives from the most recent 10,000 firing events. To view additional false positives, you must perform a query.
The following notes describe new behavior based on the resolution of specific caveats. Be sure to check the upgrade notes for each release for important notes on data migration.
8Release Notes for Cisco Security MARS Appliance 6.0.1
OL-MARS-RN
Caveats
CaveatsThis section describes the open and resolved caveats with respect to this release.
Reference Number Description
CSCsc50636, CSCsc50652 Issues: Back-end IPS process runs at 99% CPU when pulling large IP Logs The Back-end IPS process reaches 1GB in memory used when pulling IP Logs. The process names depending on the version on MARS that is running:
• In release 4.2.1 and earlier, the process names are pnids50_srv and pnids40_srv.
• In release 4.2.2 and later, the process is named csips.
These related issues, are specific to pulling IP logs from Cisco IDS/ IPS devices. The symptom is that the Back-end IPS service consumes the system resources on the MARS Appliance. As an improper configuration of the sensor can significantly degrade the sensor performance as well as that of MARS.
Workaround: Ensure that settings for IP log creation on the sensor limit the size of the IP log (in terms of number of bytes or number of packets captured). Also, verify that IP packet logging is enabled only for signatures of interest and not for all signatures. In addition, the following release-specific maximums are enforced:
• In 4.2.1, a 100 file maximum is enforced for the log file queue when the MARS is configured to pull IP log files. Therefore, it may not pull every IP log file. In addition, the complete IP Log file may not be pulled, instead, data is pulled from the file starting 5 minutes before the alert was generated through the end of the file.
• In 4.2.2, a 1,000 file maximum (up from 100 in 4.2.1) is enforced for the log file queue when the MARS is configured to pull IP log files. The complete IP Log file may not be pulled, instead, data is pulled from the file starting 1 minute (down from 5 minutes in 4.2.1) before the alert was generated through the end of the file. And last, 100KB is the maximum IP log size that can be pulled from a MARS Appliance.
CSCpn02175 Issue: Data computed or stored on a standalone MARS while in standalone mode will not be transferred to a Global Controller. Only data computed on an Local Controller that is currently monitored by a Global Controller will be pushed up.
CSCpn02073 Issue: After renaming a cloud, clicking the cloud again causes an error.
Workaround: Refresh the page before clicking a renamed cloud.
CSCpn01270 Issue: The free-form search may not work for the following devices:
• Check Point Opsec NG FP3
• Cisco CSA, 4.0
• Cisco, IDS, 3.1 and 4.0
• ISS, RealSecure, 6.5 and 7.0
• Entercept Entercept, 2.5 and 4.0
• IntruVert IntruShield, 1.5
CSCpn00247 Issue: The automatic time-out feature built into the GUI does not work when the Summary page is left open with automatic refresh selected.
Resolution: Please log out of the system when you are no longer using it.
9Release Notes for Cisco Security MARS Appliance 6.0.1
OL-MARS-RN
Caveats
For your convenience in locating caveats in Cisco’s Bug Toolkit, the caveat titles listed in this section are drawn directly from the Bug Toolkit database. These caveat titles are not intended to be read as complete sentences because the title field length is limited. In the caveat titles, some truncation of wording or punctuation may be necessary to provide the most complete and concise description. The only modifications made to these titles are as follows:
• Commands are in boldface type.
• Product names and acronyms may be standardized.
• Spelling errors and typos may be corrected.
Note If you are a registered cisco.com user, view Bug Toolkit on cisco.com at the following website:http://www.cisco.com/support/bugtoolsTo become a registered cisco.com user, go to the following website:http://tools.cisco.com/RPF/register/register.do
This section contains the following topics:
• Open Caveats for Supporting Devices, page 10
• Open Caveats— Release 6.0.1, page 11
• Resolved Caveats —Release 6.0.1, page 15
• Resolved Caveats —Releases Prior to 6.0.1, page 38
Open Caveats for Supporting DevicesThe following caveats affect this release and are part of supported devices or compatible products:
Reference Number Description
Cisco Security Manager
CSCsm94630 Policy query icon is not shown at times in Real time viewer
CSCso11900 Keyword field dimmed in Query page after events lookup from Security Mgr
CSCsm96376 Policy lookup icon not shown if device is deleted from MARS
CSCsm14585 Read-only policy page takes a long time to display for realtime events
CSCsm94537 Policy lookup icon not shown for a device deleted and re-added to MARS
CSCsl54107 Security Manager policy lookup for ICMP connection teardown syslog fails
CSCsm43237 Minimum password length for Security Manager account in MARS
CSCso38232 Host not shown in topology graph if Security Manager is added on it
CSCsf31401 MARS query does not highlight rules inside any policy group named Local
Firewall Services Module
CSCsl27574 FWSM Syslog message FWSM-6-302013 with wrong Real and Mapped IP
10Release Notes for Cisco Security MARS Appliance 6.0.1
OL-MARS-RN
Caveats
Open Caveats— Release 6.0.1The following caveats affect this release and are part of MARS.
Reference Number Description
CSCpn00173 Nessus should check pre-NAT address instead of Post-NAT address
CSCpn00183 Adding devices w/o "Activate" can cause "messy" graph
CSCpn00212 Graphgen crashes when there are many non-existent devices
CSCpn00293 using TAB in editing fields
CSCpn00455 Graph doesn’t refresh when a cloud is renamed
CSCpn00586 nasl message text needs to be changed
CSCpn00908 "Domain" in Configuration page - no use
CSCpn01045 Archiving: Need better error message
CSCpn01134 Cloud name input box accepts invalid characters
CSCpn01219 Cleanup script for invalid /etc/qpage.conf entries
CSCpn01293 Host OS listing needs cleaning
CSCpn01319 pnreset command does not cause reboot
CSCpn01382 Security device type hosts don’t show up in IP management
CSCpn01398 Unable to shutdown an interface
CSCpn01438 Batch Query: Under high load, some batch queries may not complete
CSCpn02061 Saving .csv files under WinXP SP2 results in .htm extension
CSCpn02177 Docs: Filesystem Check after 22 reboots
CSCpn02251 License: Upon entry of 100 license onto 100e, need to restart pnpars
CSCpn02383 IIS parsing must be separated from Windows log
CSCpn02385 Applied $TARGET01 for GC Query Source IP resulted in "resultCounter
CSCpn02398 XML escaping errors in Keyword Search in Rule
CSCpn02410 rule was not fired because Oracle log used upper case for user
CSCpn02414 GC/LC user rule is too long to fit into a page if keyword is long
CSCpn02470 Server csv function could not handle special characters in password
CSCpn02511 need to fix errors in affected os
CSCpn02549 JavaScript Error from ViewReport when clicking Edit/Clear
CSCpn02558 "Agent" didn’t be removed correctly
CSCpn02566 rebooting mars while it is upgrading cause the box not accessible
CSCpn02574 Time change on system causes GC/LC communication problem
CSCpn02653 No way to specify "!Keyword" without a good "keyword"
CSCpn02656 System error occurs when # of java connections runs out
CSCpn02666 Batch Query Results with one item returned -> no data in graph in em
CSCpn02804 Replay History feature not working correctly
CSCpn02869 Rules editing: changing entry for select window pulldown after error
11Release Notes for Cisco Security MARS Appliance 6.0.1
OL-MARS-RN
Caveats
CSCpn02901 GC/LC, rule does not display user <cxu> but allows such cfg
CSCpn02968 Network group search is not working for "All IP addresses"
CSCpn02973 Not able to downgrade a security analyst to Notification only user
CSCpn02976 GC:LC - Communication issues after time zone change
CSCpn03052 JBoss ’OutOfMemoryError ’ when accessing Management/Event Management
CSCpn03057 Copied rules have shortened year in front, which is confusing (ex. 0
CSCsb67871 Got System Error In GC After Re-installed New Version In LC
CSCsb77550 CSV-re import of CSA and Symantec agents unsuccessful
CSCsb80082 Deleting a LC w/o exchanging certificates doesn’t set mode to Standalone
CSCsc04484 LC Rule/Report list shows empty after deletion of GC group
CSCsc15590 MARS not including all events in a report, query returns events fine
CSCsc59363 Need improvement to GUI for multi-line rules
CSCsc90480 MARS Incident notification options are not configurable
CSCsc95831 log messages of MARS processes stopped being written into backend log
CSCsd06302 device name with single quote causes pink box
CSCsd61749 pnrestore doesn’t restore all of the system config
CSCsd84350 CS-MARS/CSM: Credentials change on CSM side not checked.
CSCsd86896 Clicking the clear button when editing the query type doesn’t work.
CSCsd89457 Incorrect handling of time range for rules that fire periodically.
CSCsd95582 Both successful/failed mitigation reports show same results
CSCse00626 IP Management -> device group displays hosts only.
CSCse09127 Failed load from csv returns incorrect status
CSCse10945 Summary Page Graphs Spontaneously Change Displayed Size (w/ multi-head)
CSCse17936 5K Lines Custom Query fails
CSCse18816 UI takes 99% CPU, hanging browser and slowing system while expanding all
CSCse27948 pink box when do query - ORA-01555: snapshot too old exception
CSCse31722 Cloud toggle only works on first page of reporting devices
CSCse33172 Invalid id used in DbClient::retrieve() 0
CSCse34407 Query Tab -> Multi column query returns wrong results.
CSCse34600 configurable SNMP timeout support
CSCse38565 CSV-Re-importing Symantec AV client CSV doesn’t work
CSCse42953 CS-Mars - unable to show L2 path when source and destination in same net
CSCse45884 LLV query causes client CPU to go to 100%
CSCse51642 IPlanet Unknown Device Event Type Parsing Error
CSCse54808 The time stamp shown by the pndbusage command is incorrect.
CSCse78738 FWSM ifspeed incorrectly reported as 0 for per-context vlan interfaces
CSCse85972 Unresolved symbol in Java build (though didnot stop building)
Reference Number Description
12Release Notes for Cisco Security MARS Appliance 6.0.1
OL-MARS-RN
Caveats
CSCse98029 Occasionally corrupted event data enters into MARS database
CSCsf06019 Generic Router UI must support multiple reporting applications
CSCsf11651 Device resource monitor incorrectly samples 5 sec CPU instead of 5 min
CSCsf12825 GUI should prevent edit/delete of system-context PIX/ASA 7.0 devices
CSCsf15781 Database table columns do not match with the archive file columns
CSCsf26715 Inaccuracy in per-context memory utilization for multi-context devices
CSCsf27568 keyword search query can’t display big-5 encoding raw msg
CSCsf31121 Exception in Case Management code when deleting a report
CSCsf31207 Mars doesn’t support new/changed FWSM 3.1.3 maintenance release syslogs
CSCsf31228 Unknown device events for FWSM 3.1 FWSM-3-717001 till FWSM-4-717031
CSCsf99767 provide encoding selection for adding agent to device/host
CSCsf99844 wrong values for current connections using CLI "show resource usage"
CSCsg20987 CSMARS DTM sdf files are sent with invalid format
CSCsg64119 rule’s keyword editor treats NOT as binary rather than unary
CSCsg73786 Devices should not be added to MARS if Discovery is unsuccessful
CSCsg76958 FR: Recognize either CIPS network variables or have CSMARS net variables
CSCsg82600 some syslog results in unknownDET with ’Activate’
CSCsh00013 Case Management: history does indicate change of ownership
CSCsh44351 CSM multiple hostname matches failed to return multiple hosts
CSCsh67828 Custom Column Query filtered by reporting device missing results
CSCsh73553 MARS DVD imaging does not support USB keyboard
CSCsh97060 MARs says it can delete up to 500 at a time but only lets you delete 50.
CSCsi03658 CS-MARS - IOS Discovery via Telnet/SSH fails with $hostname in banner
CSCsi07186 User can input unsupported characters in AAA device name
CSCsi11312 pn_incident_log and pn_report_log should be archived
CSCsi13100 gui.sh dev build makes different JBOSS web.xml than make release
CSCsi15769 NLS_LANG variable should be updated in environment
CSCsi18757 CS-MARS - Request to have the "ssldump" command in the MARS CLI.
CSCsi29398 CS-Mars does mitigate to the proper endpoint
CSCsi49285 Mismatch in results between query and report.
CSCsi49330 Mismatch in results between query and report when query is based on user
CSCsi49396 Mismatch in results between query & report when query based on desti. IP
CSCsi49419 The application hangs, while getting the results for a query.
CSCsi49474 Mismatch results between query and report (custom column)
CSCsi51999 Edit SW based Application device need submit twice
CSCsi52731 mars reboots w/o asking for confirmation after user clicked cfg update
CSCsi62384 The performace test kills all the process during the weekend run
Reference Number Description
13Release Notes for Cisco Security MARS Appliance 6.0.1
OL-MARS-RN
Caveats
CSCsi65713 Index needs to be removed for the pn_report_result table
CSCsi65960 L2 mitigation has problem finding path
CSCsi68126 For multiple context mode, inbound/outbound error reports are incorrect.
CSCsi69310 security hole happens if users close browsers without click logout
CSCsi86420 with 60% event rate capacity, query events ranked by time takes 20 min
CSCsi91734 Mismatch in results between query and report for All Matching Events
CSCsi93283 Mismatch between query and report results for source port ranking.
CSCsj15512 Update reports when handling deletion of hosts
CSCsj20697 LC did not get added to GC so unable to generate syslogs.
CSCsj23845 CS-MARS Action filter doesn’t work if not associated with incidents
CSCsj28376 Box may not be able to reboot after recovery, under certain conditions
CSCsj51240 Paging does not work for report right after adding it to a case.
CSCsj66955 scheduled discovery is scheduled at wrong time
CSCsj67626 Raw message query type schedule report missing some raw message events
CSCsj69985 Syslogrelay is accepting same IP for both source and collector
CSCsj90505 Inline/Batch query not match on NAT connection report
CSCsj90875 Inline/Batch query: result mismatch on Matched Rule Ranking
CSCsj96592 Adding LC with version lower than 4.3.1 should version mismatch err
CSCsk04282 MARS failed to import 1000 hosts vulnerablilty information
CSCsk26308 pink error when listing devices while scalability script running
CSCsk27276 MARS: Isolated Networks in Topology due to ’ip unnumbered’ Interface
CSCsk39645 GUI doesn’t check duplicate agent ip address when adding application
CSCsl41494 Network_group object with DB ID of 0 (zero) causes system error in GUI
CSCsl58216 MARS Layer 2 path and mitigation issues with IOS 12.3 and 12.4 version
CSCsl58359 exporting data use pnexp requires more TEMP tablespace
CSCsm40349 rare crashing issue due to file system check/memory short
CSCso39840 Sud incr. in traf raw msg should have std deviation instead of variance
CSCso40549 L2 path through 7600 with VRF give error message
CSCso59056 pnrestore throws the warning of archive version 0
CSCso97681 Host name appears inconsistently on Incident Vector Topology
CSCsq05336 MARS - Large Number of Reported Users, Query user selection fails
CSCsq07542 CS-MARS Incident path graph connects to wrong cloud/gateway
CSCsq23060 Entries with ID 0 exist in database in some tables
CSCsq52768 AAA - Unable to add AAA server on GC
CSCsq57230 custom parser performance issue
CSCsq69190 4.3.5 eth1 IP address not migrated to 5.3.5
CSCsq69627 4.3.2 MARS-20 - The status of their reports is stuck ’in progress’
Reference Number Description
14Release Notes for Cisco Security MARS Appliance 6.0.1
OL-MARS-RN
Caveats
Resolved Caveats —Release 6.0.1The following customer found or previously release noted caveats have been resolved in this release.
CSCsq88032 Anomaly baselines are not part of archive/restore data
CSCsq97937 pnparser and graphgen crashed multiple times in loading topology
CSCsq97972 pnparser crashed in AnomalyAnalyzer
CSCsr07779 MARS event session table missing primary key
CSCsr18510 Report result gives NONE as the output instead of the network address
CSCsr31888 Checkpoint raw messages are being truncated
CSCsr41052 MARS not showing the switches in L2 mitigation path consistently
CSCsr46945 LC Delete takes too long with lots of global networks
CSCsu40679 Mismatch in event correlation for the events from IPS
Reference Number Description
Reference Number Description
CSCpn00873 Adding a Cisco IDS 4.0 doesn’t ensure that it has a valid port
CSCpn01532 Serial port speed setting inconsistent
CSCpn02191 (Interwoven) secure archiving
CSCpn02327 missing zone information on GC rule creation
CSCpn02333 LC: After pnreset -g, should clear out former zone’s information
CSCpn02407 GC reported users are not pushed up from LC to GC
CSCpn02515 (US Army) `Any’ over-riding rule/query criteria
CSCpn02569 GC-LC:Reported User Rule Push
CSCpn02787 src and dst ip are 0.0.0.0 for event of built icmp connection for fa
CSCpn02807 LC should show the info about the GC which is monitoring LC
CSCpn02831 GC - Rule for specific zone makes rules inactive in other LCs, but t
CSCpn03022 Enhancement needed for host
CSCpn03079 parsing error for IOS syslog: %FW-6-SESS_AUDIT_TRAIL
CSCsb45815 Test Connectivity holding on QualysGuard on-demand URLs
CSCsc15702 Custom parser not used under certain circumstances
CSCsc22184 No ratelimiting on M20/50/100 for store netflow
CSCsc46185 Cannot delete a single user-defined rule in CS-MARS
CSCsc78878 snort signature 2570 incorrectly mapped
CSCsc97963 Netscreen logical interfaces (vlan intf) not discovered
CSCsd28267 CLI: pnupgrade does not properly check parameters
CSCse13038 CS-Mars - learning of McAfee agents with invalid names
CSCse13913 Clicking ’Clear’ on edit query page doesn’t clear everything
CSCse20539 Hotspot graph doesn’t update after adding a device from GC
15Release Notes for Cisco Security MARS Appliance 6.0.1
OL-MARS-RN
Caveats
CSCse28932 solaris event: file system full
CSCse32707 CSV- Report->View Report : Incorrect csv file generation.
CSCse33688 No Event Types listed under Cisco Switch-IOS 12.2
CSCse38356 Windows pulling gets stuck for one IP due to invalid content in evt log
CSCse44509 On demand report progress shows negative value
CSCse55071 Snort - Unknown Device Type
CSCse57955 CS-Mars showing unknown parsing error for Netscreen 5.0 events
CSCse78089 Unable to upgrade CS-Mars via GUI
CSCse82022 Unable to view reports starting with #sign in csv format
CSCse82042 Change the Device Type Version for FWSM
CSCse91636 MARS - not all columns seen in CSV reports generated using custom column
CSCsf06141 high CPU usage in pnparser sessionization
CSCsf16900 After discovery is done, the new added fwsm3.1 is not shown in device pg
CSCsf19647 Operator "neq" doesn’t be parsed correctly
CSCsf29813 first several pulled log messages are not logged after cleaning logs
CSCsg05143 Button functions on zone config page should be restricted
CSCsg26352 Getting a internal server error when trying to access a incident on GC
CSCsg38029 high CPU usage in pnparser due to checkpoint NAT rules
CSCsg41738 IDS monitored networks not displayed the same as discovered interfaces
CSCsg46296 CS-Mars- nslookup requests using the GUI do not work
CSCsg47022 CS-MARS - Incorrect Start Times on Retrieved Raw Message Files
CSCsg53135 CS-MARS - Recent Incidents for Last field does not mantain state
CSCsg68371 cannot not use < > & to do keyword correctly
CSCsg71418 GC: Query shows as complete on GC while still running on LC
CSCsg75415 GC-deleting current logged-in user ends session before activating change
CSCsg79246 Getting a blank window when adding a device in IE 7
CSCsg80475 All incidents purged if event-session partition table is corrupted.
CSCsg90210 Query Matchin all sessions takes long time to finish
CSCsg91816 port 0 in ’Top Destination Ports’ misleading
CSCsh05549 Order of events in RawEvent Queries: need finer grained timestamps
CSCsh05946 CS-MARS - Ability to adjust file size when retrieving raw messages
CSCsh14454 server.log can grow unbounded with in a single day
CSCsh52537 Repeated upgrades of oracle fills hard drive
CSCsh55324 Global userevent in LC not behaving correctly when LC deleted/re-added
CSCsh80125 pnrestore start/end time arguments - invalid dates not rejected
CSCsh83068 Report and query return no results under device type ANY
CSCsh89445 GUI allow users create rule without putting rule name
Reference Number Description
16Release Notes for Cisco Security MARS Appliance 6.0.1
OL-MARS-RN
Caveats
CSCsi33498 SANS TOP20 reports should be updated in every release
CSCsi44427 Enh: Make HTML report output the same as CSV output
CSCsi50024 IPS is not visible in Global Zone Hot Spot Graph
CSCsi50292 Cannot add mars 20r to gc
CSCsi58880 Enh: Need a scroll bar in Real Time Event Viewer GUI
CSCsi66512 Auriga/Cygnus: pnmodel returns wrong return value for MARS 210
CSCsi66599 Query/Report allow user to change max records 5000
CSCsi72614 MARS problem distinguishing betwn L2 and L3 devices during SNMP discover
CSCsi72853 AIM-IPS 6.0 support
CSCsi76255 Custom log template pattern messed up when add a LC to GC
CSCsi79486 Sorting maybe required for the drop-down list of service group
CSCsi88964 Documentation for Snort 2.6 Support
CSCsi95167 Places need to be Sorted by Name
CSCsi96921 IPSDynamicSigUpdate attempts to connect to CCO with no credentials
CSCsj03338 CS-MARS - Cannot import domain information from seed file
CSCsj05344 GUI: Allow select multiple Rules to change status
CSCsj13201 Device type of McAfee ePO 3.5 agent has extra word
CSCsj31990 pnparser: avoid flooding log file for most of framewk, sb, sessionizer
CSCsj36991 WLAN: "Load from Seed File" needed for WLC
CSCsj37444 pnparser: Needs to audit log pn_reported_user records
CSCsj40313 Summary: HotSpot Graph duplicate at Attack Diagram
CSCsj41020 inconsisitency of the mars internal generated syslogs for VA info
CSCsj41168 Error when trying to accept new sensor certificate
CSCsj42467 LC not showing up on certificate page
CSCsj46699 Deleting notification object on LC causes pink box when updating report
CSCsj62420 ASA Context are appearing as Submodule under PIX and Vice-Versa
CSCsj66410 Enh - CS-Mars - CSV TACACS+ Accounting support
CSCsj67037 pnparser / postfire / process_event_srv crashed in func test
CSCsj68087 MARS Discovery fails to take the context information of ASA from 7.2-7.0
CSCsj70968 Charts need captions in Query/Report results.
CSCsj77235 Enh: Incr. throughput via reduced mem-ops in PnParsedEvent serialization
CSCsj79124 WLAN: Edit User Rule name might hide user rules from Rules tab
CSCsj87207 GUI cannot show the full topology because of constant process crash
CSCsj90077 Enh: Summary page severity filter should provide more option
CSCsj92673 pink box appears when adding query/Report into Cases
CSCsj95799 Always Prompt SSL cert/Dup IP, Test Conn removes Monitored Nets
CSCsk02261 XPATH is change to find open ports information from QG 5.0 xml file
Reference Number Description
17Release Notes for Cisco Security MARS Appliance 6.0.1
OL-MARS-RN
Caveats
CSCsk02989 GC is not usable when LC has lots of deleted devices
CSCsk08028 Real time multi column query is not working.
CSCsk09106 Enh: Scheduled ranking reports performance improvements
CSCsk12421 Netflow config wrongly mixed up with traffic anomaly configuration
CSCsk12489 operator role can not resubmit report
CSCsk14368 pnparser lost commu w/ superV, so restarted by superV in perf test
CSCsk15271 Hotspot grpah didnt get enlarged
CSCsk19283 Support for Teardown syslog to CSM policy navigation
CSCsk20599 Enh: ASA Full-Throttle specific Netflow v9 parsing code
CSCsk23818 Reports need to do bulk insert in java
CSCsk23854 Change Version not changing the version of the context
CSCsk24656 Enh: Add Real Time (Raw Events) or LLV support for Netflow
CSCsk26328 on LC, GC user report name editable through previous button
CSCsk27999 Java error when clicking on Configuration Information page
CSCsk35823 Scheduled NAC report return empty result
CSCsk38984 Update Oracle to latest CPU (critical patch unit)
CSCsk46510 No Error message on Discovering FWSM through FTP
CSCsk48474 IPS process constantly crashes with 100 IPS added to MARS
CSCsk60311 Mars - Option to check logs pulling status
CSCsk62697 Enh: IPS6x is not supported in seed file import in 4.3.1/5.3.1
CSCsk64671 WLAN: WLC virtual ip shown as Ip address; shd be mgmt ip
CSCsk66330 Better to allow -Submit Inline- button more often - tie to timeout
CSCsk69316 New Device Support - NAC Appliance
CSCsk70744 Upgrade OpenSSL version
CSCsk71762 XML Parsing in SVG topology reference without authentication
CSCsk73647 UCB installation
CSCsk74568 CSM connection is getting frequently reset due to ClientAbortException
CSCsk79053 GC error - java.lang.OutOfMemoryError exception
CSCsk80647 pnupgrade is not displaying next fsck scenario
CSCsk85174 MARS - 5 tuple information missing from raw IDS events from NFS archive
CSCsk87226 MARS didn’t discover FWSM multiple context mode successfully
CSCsk87325 WLAN: MARS need to take care new/modify Signature Attack in DCubed
CSCsk88570 MARS: received email reports contain blank chart
CSCsk89160 200-GC Configuration import on 110 stops some processes
CSCsk92543 CS-MARS: Custom Column Report Device Column Blank .
CSCsk93378 UCB code changes check in
CSCsk94319 ASA 7.2: missing ASA-7-715078 event in 22-bigfile.txt
Reference Number Description
18Release Notes for Cisco Security MARS Appliance 6.0.1
OL-MARS-RN
Caveats
CSCsl00467 MARS timeout settings impact "timezone set" command
CSCsl01098 To include patch for Venezuela & Argentina timezone change
CSCsl02072 Symantec: issue when device gets added with devicename in small letters
CSCsl03822 Support Secure Syslogs
CSCsl04692 Reported user is not parsed for windows event id: 680
CSCsl07131 ns25 syslog message parsing error
CSCsl09384 Need to include new JBoss and JDK packages
CSCsl09666 Unknown Events of ASA|PIX Messages - need to check in all ASA|PIX Veriso
CSCsl10687 Build script and JBoss configuration filechanges for new Jboss/JDK
CSCsl11647 Pnupgrade hanging at the last step - Updating database schema
CSCsl14083 wrong src and dest address/port parsed for snort event
CSCsl15808 NAT address filtering doesn’t work in scheduled ranking reports
CSCsl17838 include signature diff data between 435 and 601 in 601 image
CSCsl17852 Need DB upgrade script: from_0x_3_50_to_06_0_13.sql
CSCsl19616 include fuse and sshfs in 601 image
CSCsl19691 To include superdoctor package
CSCsl20087 Pink box error due to finding null interface as next hop address
CSCsl22819 PushReportResultsServlet wrongly inserts Incident Id Map entry twice
CSCsl22999 Mars - Purge Archive message reporting wrong partition
CSCsl24328 CS-MARS IPS TR/RR Support in release 6.0
CSCsl29431 MARS interface must always be accessed from new IE browser session
CSCsl31143 MARS restore process fails on 4.3.1
CSCsl31267 UCB: need to fix how mem limit is enforced on Linux 2.6 platform
CSCsl32590 CS-MARS - ASA 7.2 syslog 713228 not parsed correctly
CSCsl39856 2.6 Kernel panic on old Mars 50 model
CSCsl49530 Support IOS IPS devices in bidirectional cross linkage
CSCsl49534 Device Resolution logic to be enhanced to consider context information
CSCsl52720 ’Test Connectivity’ failure indicates a wrong error message
CSCsl52833 bogus error in JBoss log when editing Case in GUI
CSCsl53449 Parsing source IP from a Linux event
CSCsl55529 Device Support Framework (DSF) Phase 1
CSCsl58089 L3 path calculation is not working for checkpoint connected routes
CSCsl59123 CS-MARS: Duplicated Anomaly Reports do not work correctly
CSCsl65674 CS-MARS - IOS syslog IP_SOURCE_GUARD-4-DENY_INVALID_PACKET no MARS event
CSCsl77503 data work: add new entries from Gen-2 /etc/services to pn_service.txt
CSCsl77947 Need an extra field in PN_DEVICE table
CSCsl78914 Adding NETFLOW_ASA_STORE_ALL entry in PN_SYS_PARAM table
Reference Number Description
19Release Notes for Cisco Security MARS Appliance 6.0.1
OL-MARS-RN
Caveats
CSCsl82191 CS-Mars IPS Dynamic updates fail if using a cisco ip address for server.
CSCsl82607 Doc\ Typo, sever should read server
CSCsl83645 Support for filtering TR/RR values in real-time LLV
CSCsl86150 5 tuple information missing inside of raw msg of CheckPoint Opsec
CSCsl87120 Even for wrong URL for Qualys guard, CS-MARS say discovery successful du
CSCsl92623 Need to support ACS SE and ACS SW upto 4.x
CSCsl94750 "Succesful" is spelled incorrectly in CS-MARS.
CSCsl95540 Zone based Policy Firewall support required in IOS 12.4 device
CSCsm01248 System max read socket buffer size needs to be increased
CSCsm02412 ASA FT 8.1 device support
CSCsm02611 Add ASA 8.0.3 support
CSCsm03231 Enh: MARS should auto remove ^M in seed file
CSCsm03848 image management: enable binary and data upgrade separately
CSCsm08337 Add ASA 7.2.4 support
CSCsm08643 Include flowd license text on MARS 6.0 CD image
CSCsm09020 "missing_zone_info" incidents show up in the GC
CSCsm09021 Wrong query interval if leave one field blank
CSCsm09359 CSCsm11980
CSCsm11895 xCSM: Add GC APIs for P->E navigation in CSMS linkage
CSCsm11980 ASA-4-106023 event parsing error on MARS 4.3.2
CSCsm14585 Read-only policy page takes a long time to display for realtime events
CSCsm16469 Qualys Gaurd code refinements and more debugs
CSCsm17710 Report Result Replication can get stuck (LC --> GC)
CSCsm20064 Need an entry in PN_MODULE table for new process ’securesyslog’.
CSCsm21263 Add google perftools 0.98 version to MARS CD image
CSCsm22541 Performance improvements in query/report by better SQL
CSCsm27889 ASA 8.0 Parsing errors for some of the syslog messages
CSCsm28619 All Netflow v9 incorrectly categorized to be ASA v9
CSCsm28664 Need to update HELP -> About -> Documentation link after docs
CSCsm28714 Need CLI/UI method for retrieving log files
CSCsm31800 PIX|ASA 7.2 below mentioned Syslog messages are not parsing
CSCsm33408 Merge of datawork from x.3.3 to x.3.4
CSCsm34817 Windows 2003, Events are showing as Unknown Reporting Device
CSCsm34934 Windows 2003 Events are Scattering in MARS
CSCsm35155 Change ’Always Store ASA Netflow ...’ text in GUI
CSCsm36602 Parsing issue of FWSM-6-305009 FWSM-6-305010
CSCsm37082 %PIX/ASA-6-106015: Normalized incorrectly
Reference Number Description
20Release Notes for Cisco Security MARS Appliance 6.0.1
OL-MARS-RN
Caveats
CSCsm37572 Remove Any feature should be applied to the free input fields
CSCsm38062 MARS change wrong device type when use SNMP as access type
CSCsm38560 Unknown device event types reported for Snort 2.8 on X.3.3
CSCsm39521 scheduled report doing aggregation unnecessarily
CSCsm39733 reporting devices page needs to support a third level of devices
CSCsm41341 Add support for McAfee ePO 3.6.x and 4.0
CSCsm41623 Failure to add ASA device if version is less than 8.0
CSCsm41882 Java takes high CPU after using LLV (real time query)for a while
CSCsm45118 CSA Events in MARS appear as hex characters
CSCsm45708 Add support for Netscreen 5.4 and 6.0
CSCsm45753 Supporting latest release of intruShield 4.1
CSCsm48303 sslcert utility - need to restart securesyslog process along with jboss
CSCsm48603 config change report didn’t capture cat6k/vpn3k config change events
CSCsm48876 Support export in UCB
CSCsm49604 c_rehash utility required in MARS DVD image
CSCsm50878 RR/TR query: "0 - 100, Not Exists" does not match if RR/TR null
CSCsm51404 Sensor showing as couldn’t resolve name in the LLV query
CSCsm53557 Scheduled Hourly Reports doesn’t get executed
CSCsm54451 Memory Leak in Netflow processing code
CSCsm55938 PIX|ASA: Event parsing errors
CSCsm55954 detailed NAC report table header does not show in the schedule report
CSCsm56006 PIX|ASA70 - Event parsing errors
CSCsm56621 one thread in pnparser taking 99% cpu
CSCsm56916 SNMP Trap processing failure
CSCsm57453 Incident not created for some of same events
CSCsm57490 Misleading Description for System Rule
CSCsm57512 IOS12.2 - Event parsing error
CSCsm57823 xCSM: CSM xlaunch icon not shown against events from IOS<12.4
CSCsm58872 schema version (from dump file) not matched with UCB schema version
CSCsm60654 Device Display left-shifts elements of some rows
CSCsm62147 pnparser crashes, when Symantec AV trap comes
CSCsm63209 Pink box when adding device via ’unknown event report’ query result
CSCsm65365 IPS protocol field not parsed correctly
CSCsm65748 TCP port 32769 is open
CSCsm66185 Enh: PnParsedEvent mem reduction of reported user and var pairs
CSCsm66411 Enh: Sessionize stored IOS Netflow with non-netflow events
CSCsm67145 DSF- patterns link is not active while extending a system DT
Reference Number Description
21Release Notes for Cisco Security MARS Appliance 6.0.1
OL-MARS-RN
Caveats
CSCsm67785 LC/GC:topo push stucked processing audit log recs with null dbobject id
CSCsm68408 Wrong mapping of eth1 and eth0 interfaces by MARS
CSCsm68864 CSM icon is not displayed, if incident tab is first clicked
CSCsm69944 Cannot add IDS 4.x sensor to CSMARS
CSCsm70262 DSF-Filtering by provider: ’All’ doesn’t show MARS as device type
CSCsm70638 LC details not seen directly from GC (requires LC login)
CSCsm71228 CS-ACS parser modification to use strncasecmp
CSCsm71770 DSF-adding a user defined app type changes provider from cisco->local
CSCsm71782 PIX message 713041 is not parsed by MARS
CSCsm71834 ASA 8.1 add thru seed file, MARS showing it as ASA8.0 instead of ASA8.1
CSCsm72355 ASA netflow v9 field id are changed
CSCsm72961 Creation of rpcclient2 is not a part of build process
CSCsm73377 LC to support API to Add CSM from GC
CSCsm73384 xCSM: Support GUI wizard on GC to enable addition of CSM to LC(s)
CSCsm73815 DSF - provider information for device event type incorrectly displayed
CSCsm73829 GC: individual LC’s Hotspot diagram is empty
CSCsm74061 Microsoft JScript runtime error in 5.3.4 gen2 GC
CSCsm74069 DSF-extending a pure custom device type results in unknown DET
CSCsm74293 Queries for IOSIPS and IPS 5.x events returning empty
CSCsm74433 DSF- NOT able to delete a DET when it is mapped to a system ET
CSCsm74466 DSF- NOT able to extend a system Device Type for SNMP
CSCsm74572 MARS not updating IPS DYN Signature version on Oracle database
CSCsm75403 Network groups ignored in query
CSCsm75513 NACApp: Removal of Not required Params from Add flow
CSCsm75529 Host deletion from GC does not delete host in LC.
CSCsm75531 NACApp: MARS event for Unknown SNMP events
CSCsm75651 One space character missing in error message for add network.
CSCsm75661 Error message for deleting GC netwok in LC not user friendly.
CSCsm75685 NACApp: Add a new Rule
CSCsm76116 Incidents page does not retain time frame between page visits
CSCsm76324 Choosing different zones on summary page does not work.
CSCsm77657 SNMP Traps from NAC device not getting parsed in MARS
CSCsm77660 Many Incidents related to NAC are not triggered in MARS
CSCsm77794 MARS is not able to parse FWSM syslog 402117
CSCsm78161 WLC: Not able to edit discovered WLC
CSCsm78813 DSF- Derived device from system types shows unknown DETs
CSCsm78826 DSF-changing from sw to app type shld switch back while defining a DT
Reference Number Description
22Release Notes for Cisco Security MARS Appliance 6.0.1
OL-MARS-RN
Caveats
CSCsm79362 DSF - adding an ET with existing event ID results in HTTP 404 error
CSCsm79381 DSF-device type filter in event mangt page should display provider info
CSCsm79939 IP address in "More info of this device " is incorrect for Netscreen 5.0
CSCsm79967 Unknown Device Event Type when ACS SW added thru seed file
CSCsm79993 WLC: Inconsistency in parsing device name for WLC events
CSCsm80019 MARS not parsing interface IP Address enabled with DHCP client
CSCsm80086 The secure syslog events received for ASA 8.0.3 are appended with unnece
CSCsm80187 Merge 534 code to 601
CSCsm80740 custom parser: evts w/ NAT src/dst, w/o port/proto lost in sessionizer
CSCsm81152 GUI "data Archiving" page shows misleading status if Change failed
CSCsm81377 Mars 4.3 - not able to set custom POSIX timezone opt 11
CSCsm81434 DSF- pink box while querying an SNMP trap for manhunt device
CSCsm82282 DeviceType info not shown in Security and Monitoring Info Page
CSCsm82342 CSM ICON is not displayed,if the search criteria is All matching session
CSCsm82392 WLC: Discovery with wrong credentials does not throw any msg. to user
CSCsm82735 MARS is picking up seed file from wrong ftp directory
CSCsm83345 DSF- Derived device from pure custom type shows unknown DETs
CSCsm84042 pink box while adding a report to a case.
CSCsm84275 Same provider names repeated multiple times in Incidents.
CSCsm84291 GC query status shown In Progress even if its finished in LCs long back.
CSCsm84695 Qualys Guard: Hard coded URL for testing connectivity, needs to be docum
CSCsm85660 DOC Bug: Instructions for IPS Custom Signature Update is wrong
CSCsm85978 pnrestore accepts invalid hour input
CSCsm86203 failed restore leaves garbage that blocks further archiving
CSCsm87008 pnrestore accepts in-the-future end time
CSCsm87012 garbage information printed from pnrestore command (SFTP)
CSCsm87446 Error message for deleting GC report from LC can be user-friendly.
CSCsm88047 MARS not throwing any error if two context with same hostname added
CSCsm88307 DSF-Groups filter in event management page should display provider info
CSCsm88682 MARS: Java backend topo sync overflow in ID handling for SQL
CSCsm89141 LLV query with low EPS- events missing in GUI
CSCsm89189 PN MARS is displayed instead of CS MARS
CSCsm89191 Service deleted from LC though service grp is used in report.
CSCsm89213 unsupported mitigation command suggested for ASA 8.0.3
CSCsm89231 The INCIDENTS page shows as "pix" user even for ASA related events
CSCsm89300 Direct Discovery of a NON-ADMIN PIX8.0.3 context fails with an error
CSCsm89328 ACS SW/SE: MARS not parsing ACS events
Reference Number Description
23Release Notes for Cisco Security MARS Appliance 6.0.1
OL-MARS-RN
Caveats
CSCsm89371 WLC: Access Type details for WLC is blank in delete confirmation dialog
CSCsm90004 Activate button of Netflow Configuration
CSCsm90039 ASA Netflow not working
CSCsm90700 Deleting and re-adding IPS 6.x device changes the event device id
CSCsm90828 Scheduled hourly report with time range last 20 min give no results.
CSCsm91126 MARS should contain event type in windows event
CSCsm91450 MARS should support back and forward slash in rule’s keyword tab
CSCsm91707 xCSM : Test Connectivity needs to be done in CSM Edit flow
CSCsm91912 Results per page doesnt work correctly when navigated to different page.
CSCsm92008 Security Manager not reachable error displayed after long time
CSCsm92407 IPS 6.x with virtual sensors not showing up in Topo graph
CSCsm92778 Test Connectivity not returning error when using invalid IPS credentials
CSCsm92836 Large interface index causes SQL errors during DB save of interfaces
CSCsm92942 Test Connectivity does not detect changed IPS certificate
CSCsm93557 LC/GC Not replicating large report result sets > 1000 elements
CSCsm93573 GC: scheduled report of Event Type Group Ranking return no result
CSCsm93778 MARS command model shows Extension for restricted model
CSCsm94206 "Unable to find priority" error msg thrown in log file
CSCsm94630 Policy query icon is not shown at times in Real time viewer
CSCsm94968 SecureSyslog - Use MARS messages to report errors
CSCsm95500 Confirm password field needed for SFTP archiving option
CSCsm96308 ASA 8.1 with name command not PARSED by MARS
CSCsm96926 CS-MARS support for wireless controller 5.x
CSCsm97016 Typo Error for the event ASA-6-716008 in the Events Column
CSCsm98109 Resource Utilization Report shows multiple bad entries (device_monitor)
CSCsm98909 MARS - Firewall Syslog ID 111008 Event Type name is misleading
CSCsm98967 GetCSMARSInfo servlet is not available
CSCsm99161 %PIX-4-330001 incorrectly handled in PIX 8.0
CSCso00243 DSF - DSF package is not always saved after exporting
CSCso01821 Inappropriate Normalized event naming for ASA/PIX-5-722044
CSCso02804 LC/GC Communications: Must check datawork number
CSCso03171 DSF-user should be warned if name and identifier are same for diff provi
CSCso03280 Enable migration working for UCB
CSCso06522 Merge from Blr to UCB mainline 6.0.1 Phase 1
CSCso09952 MARS shows unknown reporting IP:0.0.0.0 for events from WL controller
CSCso10199 LC/GC:Incremental topo push fails to send activate signal to GC
CSCso10751 !user as query criteria in scheduled report doesn’t work correctly
Reference Number Description
24Release Notes for Cisco Security MARS Appliance 6.0.1
OL-MARS-RN
Caveats
CSCso12186 FWSM-3-713085 event not being parsed
CSCso12982 DSF - need to remove extra character ’c’ from the parent DET information
CSCso13008 Following ASA 8.1 syslogs are not Parsing
CSCso13032 high amount of memory swapped in from /to disk
CSCso13676 Rediscovery does not remove old virtual sensors
CSCso14465 Upgrade/downgrade of ASA device doesnt display correct version in MARS
CSCso15019 Phase-1 CD-2 Datawork
CSCso15575 jboss-service.xml moving out of pnos.tgz
CSCso15590 DSF-group info is removed while adding an ET,when provider is changed
CSCso15596 DSF - group info is not restored properly after importing
CSCso16201 FEATURE: MARS Image Management Checkins
CSCso16735 xCSM: P->E with CS Mgr credentials fails in crosslaunched CSM client
CSCso16798 New Netflow parser needs to add and tune some params in janus.conf
CSCso17050 Unknown Event Type for NAC syslog msg
CSCso17071 Source and Destination IP is not displayed for NAC events.
CSCso17074 Incorrect Event type for ASA ICMP.
CSCso17220 534 datawork merges
CSCso17267 CSC SSM 6.1 and 6.2 device support
CSCso17673 Securesyslog : Move renegotiate interval value to janus.conf
CSCso17973 pnparser: change getpid() to gettid() on new platform to aid debugging
CSCso19053 Cleanlog file has errors in script
CSCso19373 Merge from 601-csm3i-blr to 601-int-blr
CSCso19413 NAC Admin Login Successful Events not reflected in System Report
CSCso19721 IOS Zone-based policy Firewall messages changes in IOS 12.4(15)T
CSCso19905 ACS 3.x: Generic event shown as Unknown Device Event Type
CSCso20091 Adding PN_SYS_PARAM Entry for Netflow
CSCso20611 pink box while testing connectivity to cco server with ssh/ssl option3
CSCso20925 GC looses lc/zone certifcate information
CSCso21724 PIX Device deletion from GC updated in LC but not updated in GC.
CSCso21796 seed file error handling need to be enhance
CSCso21811 Scheduled daily report runs 45 minutes after the configured time on GC
CSCso22465 MARS is not able to parse FWSM syslog 209005
CSCso23987 Two reporting IPs in MARS stops secure syslog in ASA
CSCso24469 Merge of 6.0.1 Phase-2 device support features to UCB.
CSCso25952 DSF-Import/Export should be moved under the Packages Table
CSCso26073 Use less space in Query Edit Pane (remove blank lines)
CSCso27488 Wrong description for Event ID 5000077
Reference Number Description
25Release Notes for Cisco Security MARS Appliance 6.0.1
OL-MARS-RN
Caveats
CSCso27861 Sym Agent load thru seed file returns ArrayIndexOutOfBoundException
CSCso28421 AAA: When adding AAA server cannot select existing ACS
CSCso29393 DSF - extending SNMP trap supported devices doesn’t work
CSCso29503 6.0.1 datawork
CSCso31812 DSF- Displaying Provider Name in choice list & Query Result Pages
CSCso32099 Some ISS events parsing error on MARS
CSCso32158 Schema error in 6.0.12 blocks restore/migration
CSCso35123 SecureSyslog : Fine tune datachunk size
CSCso36149 should popup the previous url value after the user is warned
CSCso38012 Event type 418001 in FWSM 3.2 is not being parsed in latest build
CSCso38232 Host not shown in topology graph if Security Manager is added on it
CSCso38304 WLC: Error message is not appropriate for editing AP MAC
CSCso38506 misspelling in "Unknown comand" in MARS command line
CSCso39622 CSMARS not pulling iplogs from ips sensors
CSCso40926 DSF-ET definition info is lost if search is used while adding an ET
CSCso41484 DSF-ignore the severity field while defining a parser for a derived DT
CSCso41641 CS-MARS Inactivity report is not updated in netflow processing
CSCso41675 Rule Definition: Number of Keywords supported per Offset limited to 10
CSCso42023 Pink box is displayed during relogin after time out on FWSM module page
CSCso42923 scheduler-service.xml is copied too frequently
CSCso43232 Chile daylight time change need to be patched for mars.
CSCso43238 LC pull of updated GC rule fails if rule has been edited at LC
CSCso45041 Traffic Anomaly event (sudden increase) is not being generated
CSCso45101 ASA 8.0.3 : Parsing Errors for some messages
CSCso45179 Security exposure - DB password exposed in import script file
CSCso45196 Pink box when deleting a LC object used in the GC batch query
CSCso45986 IPS 5.x and IOSIPS events have TR value set to zero instead of null
CSCso46864 ASA v9 events not sessionized properly
CSCso46912 FWSM : MARS is not able to parse domain name with 63 characters..!!
CSCso49206 High mem use (or leak) in sessionizer with high rate stored ASA v9
CSCso49944 Key word "Qualys Guard" should be added on below message
CSCso50724 pnparser memory leak in parsing error handling caused restart by superV
CSCso52038 SecureSyslog : Use MARS events to report successful connection
CSCso53066 DbInterface’s interface_index value’s precision has to be 10
CSCso53328 Downloading a package should warn and/or block if insufficient space.
CSCso53345 files that are downloaded that don’t contain a package should be removed
CSCso53383 Activate button should be highlighetd after downloading custom signature
Reference Number Description
26Release Notes for Cisco Security MARS Appliance 6.0.1
OL-MARS-RN
Caveats
CSCso54098 Mars 50: pnmonitor restart frenquently
CSCso54308 LC stops communincating to GC, stack dump shows stuck in Version Check
CSCso54508 MARS should fire event for new packages available in CCO
CSCso55036 New Windows security events support needed
CSCso55931 Need migration/upgrade enhanced to support LC from script
CSCso56032 incremental topo ERROR-Topo Push failed, returning...SQLException
CSCso57071 Pnreset help command on CLI
CSCso57166 SecureSyslog : Remove highMarkReachedFlag check in securesyslog
CSCso57252 Reported User not listed in Report
CSCso57378 CISCO IOS 12.2 syslog messages 184518 and 159
CSCso58353 CSMARS stops pulling events from IPS sensors
CSCso59057 Create a directory /mnt/retriever
CSCso59093 Java code change breaks migration functionality
CSCso60384 TR/RR not present in results for All Matching Events - LLV raw events
CSCso60396 interrupting pnrestore may paralyze the Mars box
CSCso60975 TR/RR not present in query results for All Matching Sessions
CSCso61036 LC/GC Sync: Improve handling of config pull on update
CSCso61045 Report Push: Improve Performance By Batching Better
CSCso61274 Display of service name under rule tab is not correct
CSCso61275 a drop rule is duplicated after changing view
CSCso62665 Message should be clear when on archived file to retrieve
CSCso62775 Support for ASA Netflow events for E to P and P to E features.
CSCso64832 TR/RR missing from Custom Columns pull down in All Matching Sessions
CSCso66264 Related Events/Sessions not listed in report
CSCso66477 pnparser crashes with modified ASA/PIX syslog events
CSCso67102 Datawork number should be displayed in Help>About page
CSCso67537 Handle delete of objects used in batch query/reports across GC/LCs
CSCso67630 Schedule when a package is transferred to a cs-mars unit.
CSCso70178 Shared buffer stall is not detected in some cases
CSCso71201 FTP upgrade started from GUI or CLI does not work.
CSCso72148 Host name Any can be added via VA scan report in MARS
CSCso73998 Editing User Group From Rules/Action Menu Clears Group Members
CSCso74029 Downgrade fifo error message to warning; Rate limit SB full msg for LLV
CSCso74222 "show inventory" command shows wrong info
CSCso74903 Activate button led up
CSCso76394 error screen displayed after login
CSCso77625 Can not create drop rule by clicking on Add button at bottom of window.
Reference Number Description
27Release Notes for Cisco Security MARS Appliance 6.0.1
OL-MARS-RN
Caveats
CSCso79064 Specify the IP Address and Default Gateway for the Eth1 Interface
CSCso79078 Shut Down the Appliance via the Console info should be corrected
CSCso79084 Reboot the Appliance via the Console info should be corrected
CSCso79104 Telnet command info should be corrected
CSCso79115 SSH command info should be corrected
CSCso80805 Alternate Key lookup for pn_report fails in Java DBAPI
CSCso80816 Dashboard to report relations fail to replicate LC/GC
CSCso80923 Specific Patter From a Customer Parser is Not Synced to LC
CSCso81801 oracle-ds.xml for gen2 models
CSCso81976 Parsing error ASA PIX FWSM
CSCso82007 Incorrect grouping of IOS event
CSCso82146 pnimp help displays wrong sftp syntax
CSCso82383 userid-username mapping not happening properly for syslogs
CSCso82959 DSF: Vendor is misspelled in dsf import GUI Screen
CSCso83198 DSF: Provider groups do not replicate to other LCs
CSCso83398 DSF- EditReportHelper:createNewReport method needs to set provider id
CSCso84509 Minor GUI changes needed for GC Accelerator
CSCso85737 DSF - change Java DBAPI for SQL injection prevention at pkg import time
CSCso85911 Add device from GC gives an error
CSCso86201 Vulnerabilities found against MARS unit
CSCso87624 MARS IOS Discovery failure when banner has number/pound (#) symbols
CSCso89219 6.0.1 Datawork
CSCso89940 MARS: User-Name in raw message not populating user column in NAC report
CSCso90275 Background color for TR, RR columns is incorrect
CSCso91145 Bogus harmless error in Jboss log when changing timeout setting
CSCso91171 show inventory displays wrong PID info for MARS 100 model
CSCso91852 CSA Dynamic generated agents are not displayed on GC
CSCso92379 "Cannot open /dev/sda for reading" error seen on installing Gen1 GC
CSCso92631 xCSM: Integration testing issues with GC Accelerator
CSCso92720 TR, RR fields switched in incident details page
CSCso93030 IP Management not displaying group associations when using Device Group
CSCso93113 DSF - report/inspection rule issue on GUI due to db schema change
CSCso93904 Gen1 GC listed less LC models than it supports
CSCso93942 DSF - Cross Site Scripting (XSS) prevention for DSF changes
CSCso94064 DSF - pkg summary after imp shows # of rules/reports = 0 when it’s not 0
CSCso94090 DSF - wrong event types for DSF internal syslog events
CSCso94099 DSF - need to display for each provider: number of rule/report/etc.
Reference Number Description
28Release Notes for Cisco Security MARS Appliance 6.0.1
OL-MARS-RN
Caveats
CSCso94438 DSF - GUI needs to enforce user-entered rule/report vers as +ve number
CSCso96380 Gen2 GC list support LC models wrong
CSCso96443 Gen2 GC2R: Restricted model is displayed wrongly in the error msg
CSCso96543 Gen2 GC2R: mars 100e is shown as 100r in error msg
CSCso97783 xCSM: NAT tuple in posted XML contains incorrect addresses
CSCso98826 DSF - need to enforce non-blank description when exporting a package
CSCso98956 from_lc_04_3_40_to_06_0_13.sql missing in DB schema file
CSCso99148 retrieve raw msg failed if device name has a space
CSCso99168 retrieve raw msg showed /Log4JConfig error
CSCso99202 DSF - Pattern type owned_by db field incorrect after pkg import
CSCsq00528 McAfee ePO Agent IP is not showing on the MARS after dynamic discovery
CSCsq00595 xmars-GCSupport:P-->E will not when Multiple LCs Added to GC with Device
CSCsq00734 non-stored ASA v9 - xlate and session five tuple not completely filled
CSCsq00886 DSF - GUI does not display pattern of imported user pattern type
CSCsq00967 DSF - preserve the Query Rule attributes in Report after Import
CSCsq00975 GUI inspection rule multiple issues -- count, keyword, extra : character
CSCsq01029 MARS Gen1 - Need Message Pointing to Failed Drive for Replacement
CSCsq01645 At archiving page, a warning should provided when switching access type
CSCsq01655 Data Archiving: need more specific error messages
CSCsq01942 XML Notifications does not appear to be functioning
CSCsq02308 GC Support:Default_Global_Zone Options needs to be removed for P--E flow
CSCsq02887 xCSM: E->P for IPS VS fails
CSCsq03808 DSF - Issues in exporting with pagination on device type display page
CSCsq03898 DSF - Export doesn’t always export the et to etg relationship
CSCsq05197 DSF-Changes to Provider info at GC need activation
CSCsq05464 Modify Rules.make to accomodate static_csmars
CSCsq06297 fresh install 5.3.4->6.0.1 upgrade: unable to enter license
CSCsq06740 P -> E is failing for IPS VS0
CSCsq06845 WLC: bsnDot11StationDeauthenticate Trap is parsed as Generic Trap
CSCsq07003 CS-MARS: Test Connectivity to IPS 6.1 devices fails
CSCsq07455 Pink box while trying to see the list of packags from CCO.
CSCsq08077 Unable to see release notes of a package from GUI.
CSCsq08124 DSF: need to add a : for MARS-3-100076
CSCsq08179 DSF: system context is not added while discovering a derived device
CSCsq08230 archive not complete and restore crash
CSCsq08310 Import config hangs - does not complete and reboot machine
CSCsq08365 MARS Perf Enhancement IPS 6.0 Alert Processing hurdle tests FAILED
Reference Number Description
29Release Notes for Cisco Security MARS Appliance 6.0.1
OL-MARS-RN
Caveats
CSCsq08910 MARS not including the IP Adddress of ISS Agents discoverd thru SNMPTrap
CSCsq10814 EditCert.jsp outputs certificate contents to stdout
CSCsq11132 pink box when click on local packages tab.
CSCsq11389 MARS not getting Sensor name properly from ISS SiteProtector SNMPTRAP
CSCsq11888 HIPS 6.x events from ePO 3.6.x are not recognized by MARS
CSCsq12532 Packages in the install packages list should not check for max version.
CSCsq12865 Discover process restarts when topology update scheduler is run
CSCsq12889 DSF - Cannot delete provider afer deleting all rules
CSCsq13150 javaDbTool.sh tweak doesn’t return correct error code at time of error
CSCsq13778 Modify CSM device addition description in GC
CSCsq13858 SocketTimeout Exception while adding CSM to zones via GC
CSCsq13977 Multiple CSM addition Error is not appropriate
CSCsq14000 CSM Status Summary page should display all the LC’s information
CSCsq14051 Raw messages from ePO getting truncated in Query/Reports page
CSCsq14057 Mouse cursor should be changed to Hourglass while CSM is pushed to LC
CSCsq14131 Intrushield:Agent Name has to be filed in sensor dynamic discovery
CSCsq14178 CSM SSL certificate is not asked while adding CSM device
CSCsq14192 CSM Edit error mesage needs to be modified
CSCsq14712 MARS 25/25R VID and SN does NOT display properly
CSCsq14736 DSF-updated version for rules/reports is reset to ’0’ after exporting
CSCsq14743 DSF - provider name is not dispalyed while defining a rule group
CSCsq14749 DSF device type search does not work if vendor name has a "_".
CSCsq15156 DSF - import of a same report from different providers fails
CSCsq15421 Changing the status of the rule should show the current status
CSCsq15691 unable to import a package from CCO.
CSCsq16268 Intrushield sensor dose not store monitored n/w information
CSCsq18180 Realtime queries pop up error message about corruption
CSCsq18918 Intrushield: Incorrect sensor is selected while editing and deleting!!!
CSCsq18945 "cswin" is not able to spawn thread to pull the windows events
CSCsq22075 Deleted LC is listed in the CSM addition page of GC.
CSCsq22135 CSM Add button should be grayed out when no LC’s are added to GC
CSCsq23249 "Edit Group" button is disabled for the Event Group in GC-LC setup.
CSCsq23276 pink box while clicking on the user rule action.
CSCsq23405 LC/GC Configuration Pull causes unnecessary Activation
CSCsq23623 Service filter related issues
CSCsq24054 Change version for CSC-SSM in ASA Device
CSCsq24066 Parsing error for CSC-SSM events
Reference Number Description
30Release Notes for Cisco Security MARS Appliance 6.0.1
OL-MARS-RN
Caveats
CSCsq24462 MARS Discovers netscreen with wrong OS when SNMP used
CSCsq24493 Cross-Launch Authentication Settings in GC do not show the exact values
CSCsq24637 GC CSM add wizard allows to add second CSM to a LC
CSCsq25159 Inactive device incidents triggered by wrong rule
CSCsq25167 upgrade gui should warn user if fsck will run after reboot
CSCsq25288 wrong package is listed in the install package list.
CSCsq25898 can not add LC to GC after 4.3.4 to 6.0.1 migration
CSCsq26089 support ASV plug-in natively on MARS
CSCsq26780 SNMP discovery does not happen for Netscreen 6.0 device
CSCsq27591 non-deterministic behavior observed when deleting multiple devices
CSCsq28308 too much IPS log dumpped to backend log
CSCsq28367 Discovering IPS 6.0 device doesn’t show feedback to users
CSCsq29417 MARS showing the Protocol field as N/A for GTP
CSCsq29441 In FWSM syslog messages the Src filed is appearing as 0.0.0.0.
CSCsq29469 MARS: Detailed NAC report with keyword query has empty columns
CSCsq30046 Globle user rule shouldn’t be able to change status on LC
CSCsq30063 DSF- System ET groups missing not shown when editing user ET group
CSCsq30430 open source software: to include source code of nmap in ISO image
CSCsq30472 open source software: to include source code of nessus in ISO image
CSCsq31195 unable to retrieve data from local database and remote NFS server
CSCsq32381 DSF- name changed when opening an exported pkg with special chars
CSCsq32537 Upgrade status logs have same message twice.
CSCsq32870 Open Source Software: include jNetStream source code as per LGPL
CSCsq33001 Deleting one package from the local packages list delete all the package
CSCsq33040 On LC seeing pn_statistics_data with zone set to 0 (sometimes)
CSCsq33307 Custom device still shows up in the device list even after deleting it
CSCsq33766 Intrushield sensor can’t be added using seedFile
CSCsq35807 ePO: Seed file import(agents) results in ArrayIndexOutOfBoundsException
CSCsq35878 Different Checkpoint firewall versions must be displayed correctly
CSCsq36142 Intrushield:Pink box is displayed for mitigation/attack path query
CSCsq36573 User should not be allowed to check more than one package to download.
CSCsq36653 With performance traffic(syslog+NF), MARS sometimes can not keep up
CSCsq36910 No information about schedule upgrade on LC from GC in GC Logs.
CSCsq37307 big spece in rule display
CSCsq37315 Need to update the Log message contents.
CSCsq37490 Migratiion: export frequently fails when exporting data
CSCsq38529 xCSM: good to have a SAVE button while P->E to LC via GC
Reference Number Description
31Release Notes for Cisco Security MARS Appliance 6.0.1
OL-MARS-RN
Caveats
CSCsq39659 sometimes TR/RR values are not displayed in Incident Details page
CSCsq39842 Deleting ASA does not delete sub module for IPS
CSCsq39932 SecureSyslog : Memory leak
CSCsq40774 ASA/PIX 8.0 Event type for 722022 need to be changed
CSCsq40873 Sudden Incr. in Traffic triggers every 2 mins instead of hourly
CSCsq41376 Package is not deleted from the list after the installation.
CSCsq41775 DSF- a device with derived custom DT cannot be edited
CSCsq42017 Change the icon shown for child node in device tree table
CSCsq44509 Event grouping is not happening for few of the ios12.2 events
CSCsq45693 Netscreen 6.0 real events reported as unknown device event type
CSCsq45860 IDS tagged syslogs from IOS are not normalized for IOS 12.3 version
CSCsq47201 SSL/SSH settings does not work for upgrade package download from CCO.
CSCsq47633 DSF-Should give warning when the provider IDs have conflict
CSCsq47901 IP address values are not parsed in syslog of CSC-SSM
CSCsq48832 DSF- Gui display issues on export summary page
CSCsq48845 MARS showing wrong version and DB error in 6.0.1 2953
CSCsq49746 Import of 4.3.4 config fails in 6.0.1 due to empty xml_key_value.
CSCsq50036 IndexOutOfBound exception pink box seen on GC device page
CSCsq50153 Issue with DB LOGON and DB LOGOFF events in Oracle device support
CSCsq50505 pnparser crashing and not parsing for some 5.4 Netscreen syslogs
CSCsq50642 Parsing Errors for NetScreen 6.0 Syslog Messages
CSCsq50653 NetScreen 6.0 Events reported as Unknown Device Event Type
CSCsq50736 ASA 8.1 Netflow sessionization failing intermittently
CSCsq50831 MARS: Rules for Cisco IPS events using keywords fails to pull data
CSCsq51089 5.3.4 to 6.0.1 upgrade takes longer time and shows many errors in log.
CSCsq51436 DSF- cloned system rule shown as Global rule on the exported standalone
CSCsq51732 DSF- the number of rule/report group count mismatch while exporting
CSCsq52035 QueryAndReport testcase is failed
CSCsq52348 IP address and port values are not parsed in syslog of Netscreen
CSCsq52370 Intrushield: MARS cannot parse 36 device events
CSCsq52419 Intrushield: MARS cannot parse newly added trap alerts
CSCsq52962 NetScreen 5.4 Events reported as Unknown Device Event Type
CSCsq53625 pink box while viewing the packages form CCO.
CSCsq53892 DSF- Syslog %Mars-3-100092 mismatch the actual event
CSCsq53898 Download connection info input fields take special chr. as valid input.
CSCsq53905 DSF- Syslog %Mars-3-100087, 100088 not generated with events
CSCsq54126 Proxy setup issue on GC for FTP download.
Reference Number Description
32Release Notes for Cisco Security MARS Appliance 6.0.1
OL-MARS-RN
Caveats
CSCsq54383 DSF- 9 relationship syslogs of importing pkg not implemented
CSCsq55369 Unable to install 6.0.1(2925) build on MARS 25 and MARS 25R
CSCsq55414 SecureSyslog : Server Exit/Close needs improvement
CSCsq55443 CSM icon not displayed on upgrade x34/5->601 & on archive/restore on 601
CSCsq55606 Junk info received along with report in email
CSCsq56287 Ambiguous log message for downloading a upgrade package.
CSCsq56592 DSF- char "/" in the export pkg name cause the file cannot be downloaded
CSCsq56742 DSF- Export Summary page does not differentiate providers with same name
CSCsq57129 DSF- "Any" should not co-exist with other value in imported rule/report
CSCsq57286 mars is not checking for space while downloading a upgrade package.
CSCsq57331 Incident is not get created for new package availability on CCO.
CSCsq57444 DSF - "Change Status" stops working for imported rule
CSCsq57680 IPS device shown as Host in full topology and hotspot digrams.
CSCsq57788 Missing_Zone_info error shown along with zone name for GC incidents.
CSCsq57929 No Fail event for Qualyes Guard during Discovery
CSCsq58922 pink box if the file size of the upgraded package is more than expected.
CSCsq58996 Scheduled upgrade does not start at updated time.
CSCsq59278 Scheduled upgrade on LC doesnt start on updated time.
CSCsq60654 Events not getting sessionized properly in a certain scenario
CSCsq61393 Need to include JBoss source code as per LGPl
CSCsq61618 Download connection information page does not show the correct catalog.
CSCsq62119 IPS raw msgs are displayed incorrectly in custom column queries
CSCsq62543 Enhancements in the Exchange lib code
CSCsq62799 IPS shows monitored networks against device name and not against Vs
CSCsq62989 Report status stuck in Progress in GC thought its finished in LCs.
CSCsq64953 tnsnames.ora has wrong config to use TCP instead of IPC
CSCsq65062 Static route entries are not fetched during Netscreen Discovery
CSCsq65304 Event type is wrong for ciscoLwappMeshChildExcludedParent trap
CSCsq65857 NPE in GCAccelerator status page while adding/editing CSM to multi zones
CSCsq66538 Change IPS 6x sensor name and save doesn’t trigger rename of VSs
CSCsq67627 DSF- imported event type group failed to sync to GC
CSCsq67629 DSF- new det or new parser of a system device type failed sync to the GC
CSCsq68935 DSF- Overiden system DET failed to be pulled to LC
CSCsq69140 Log messages should be more informative.
CSCsq71345 GC rule not edited/deleted on/from LC after its modified/deleted from GC
CSCsq71393 Package download from CCO timeout and fail.
CSCsq71632 DSF- Importing overriden system DET causes two entries of same DET
Reference Number Description
33Release Notes for Cisco Security MARS Appliance 6.0.1
OL-MARS-RN
Caveats
CSCsq71810 MARS discards capacity drop count event
CSCsq71826 inline report server generate key violation logs
CSCsq72389 DSF- old rules shown in selected window of a imported rule group
CSCsq72447 DSF- Auto increased version number stop at 10.0 when exporting pkg
CSCsq72794 provide CSCsq14057 fix for retry flow
CSCsq72973 Modify error message in CSM Status Summary page
CSCsq73210 Issue in discovering netscreen 5.4 & 6.0 using ip address or network id
CSCsq73259 Allow Users to Save Credentials is not disabled in Edit flow
CSCsq74093 DSF- rule/report & pkg relationship tables need to be archived
CSCsq74373 need to include the open source jradius source code in the iso
CSCsq75890 GUI accepting network as a next hop address
CSCsq75966 Estimated time of data import is much higher than actual time.
CSCsq76389 device discovery page error / dead-ends discovery flow
CSCsq76440 Need to include source code for Nbtscan in release ISO
CSCsq76465 Archiving Status shows wrong info when 0 day and SFTP apply
CSCsq76699 Need to put iconv lib into the CCO site.
CSCsq77182 The report can be deleted when user tries to edit it
CSCsq77587 DSF- some system pattern types set local box as provider on upgraded box
CSCsq77785 CSM icon is shown in Incident page, when CSM is not present in MARS
CSCsq79671 DSF- Device types lost after archive/restore on Gen2 boxes
CSCsq81419 Intrushield:Sensor can’t be added manually but can be added by autodis.
CSCsq83149 confusing Test Connectivity user feedback in "discovery" language
CSCsq83339 Pink Box error when the search criteria is All matching sessions, Custom
CSCsq84870 Incomplete ips 6.x reporting device for Packet Data events
CSCsq85509 DSF- editing GC local provider cause new imported provider added on LC
CSCsq85536 DSF- config sync blocked if the local provider of LC is imported on GC
CSCsq85631 New PCI groupings for 6.0.1
CSCsq87406 Need to forcefully Activate after changing the windows pulling interval.
CSCsq87964 Cannot delete a provider created report
CSCsq88601 Events from a non-added ePO server have junk characters
CSCsq88753 Intrushield : Traps for signature with backslash can’t be parsed by MARS
CSCsq88942 Unknown device eventtypes in ACS 4.x
CSCsq89914 IPS 6.x with dup reporting IPs trigger javascript error in testconn
CSCsq90321 CSCsq90453
CSCsq90453 Global user rules not triggered on LC
CSCsq91854 Local provider info doesn’t match after LC pkg import followed by LC add
CSCsq92142 PushReportResults doesn’t properly handle failed report push
Reference Number Description
34Release Notes for Cisco Security MARS Appliance 6.0.1
OL-MARS-RN
Caveats
CSCsq92353 DSF- imported rule on GC has different editable fields than LC
CSCsq92651 DSF- parser not updated correctly by importing pkg
CSCsq92734 DSF- updated version, time of DT not set correctly from imported pkg
CSCsq92906 only see one package in exchange pop-up window
CSCsq92911 error while downloading exchange package while proxy server configured
CSCsq92956 ssl setting w/accept first time and prompt when changed does not promt
CSCsq93490 proxy server error message is thrown after downloading corrupted pkg
CSCsq93500 we should not see "exchange"showing in the error message
CSCsq93751 Failed to add access point to wlc
CSCsq93755 next button on wlc additon page doesn’t take to device edit page
CSCsq93921 Default OS for host on IP management should be (Any, Any)
CSCsq94025 Event mapping for ACS events is not as in the event management page
CSCsq94947 Rule update with rule name near length boundary causes error
CSCsq96072 Inappropriate Name,Description,Platforms,CVE for NormalizedEvent 6004954
CSCsq96364 Rule correlation and matching doesn’t work with src/dest IP 0.0.0.0
CSCsq96383 Add support for 5 new IPFIX draft netflow field IDs for future ASA
CSCsq97148 CSCsq97148 - MARS-Gen1 6.0.1.2960 IPS alert db insertion low performance
CSCsq97166 Incident Details page sometimes missing multicolumn nesting
CSCsq97214 radius-acct tcp service is missing from pn_service
CSCsq97507 Download connection info page give wrong wrror message.
CSCsq97855 IPS 5.x module drops mon nets on cert acceptance
CSCsq97991 Incidents subtab is broken in phase 2 CD 3
CSCsq98716 Intrshield:Device Name and Agent Name fields can be merged..!!!
CSCsq99277 IPS 6.x support for device type Cisco Switch-CatOS
CSCsq99749 SFTP failed to mount due to slow remote file server
CSCsq99796 IPS JSPs don’t trim whitespace from user-provided sensor names
CSCsq99804 CS-MARS not showing complete Events from ISS Siteprotector
CSCsr00748 I/O optimization for es file archiving
CSCsr01035 Incident not triggered for Mapleleaf Violation events
CSCsr01048 unknown device eventtype in WLC
CSCsr01371 P2E is Failing for ICMP events on Mars due to Service type issue
CSCsr01713 Event information is not listed properly in Reports
CSCsr02628 MARS import process shuould check the configuration
CSCsr02710 Bad url attached to Event Parsing Thread Count setting
CSCsr03956 Netscreen 6.0 event not parsing
CSCsr04396 New package incident should be created based on polling inetrval.
CSCsr04436 Not able to download apckages from CCO.
Reference Number Description
35Release Notes for Cisco Security MARS Appliance 6.0.1
OL-MARS-RN
Caveats
CSCsr04449 pnupgrade hangs if database services are not running.
CSCsr06202 NACApp: One event CCA-1530 is not parsed properly
CSCsr06977 Oracle stops during upgrade from 5.3.5 to 6.0.1
CSCsr07596 Optimization for raw message file storing and indexing
CSCsr07932 Error while downloading a package from CCO.
CSCsr09448 pnparser: avoid flooding log file in other parts of pnparser
CSCsr09766 insufficient space error message should be same in all scenarios.
CSCsr10615 "pnimp import" command usability enhancements
CSCsr11944 Wrong message for the packages not exist on local server.
CSCsr12289 MARS 200 at 6K eps shows system load average 6
CSCsr12538 Mars is hanging while scheduling an upgrade.
CSCsr12875 DSF- protected package cannot be unlocked after being imported
CSCsr12892 DSF- package name missed in the msg when viewing a locked item
CSCsr13783 Model selection option (MARS110 or MARS110R) is not available on install
CSCsr13827 AP MAC address is updated with leading zero
CSCsr13959 MARS- Log entry filling up backend logs
CSCsr14401 ’changeto’ command related event triggers Modify Network Config rule
CSCsr15066 DSF - unlocked package failed to be locked again
CSCsr18203 New upgrade package report doesnt gives the list of new upgrade packages
CSCsr19284 Remove protego networks from error message
CSCsr19423 Pinkbox error when CSM certificate is not accepted
CSCsr19863 ASA 8.1 Netflow dropped with seemingly low Netflow rate on GEN1/M20
CSCsr19873 MARS connectivity to oracle server is failing
CSCsr19940 BigFile merge 535-601 is not proper
CSCsr20150 Raw msgs not shown correctly in some cases
CSCsr20575 IPS devices not connected to cloud in topo graph
CSCsr20598 Detailed NAC report does not consider ACS 4.x events
CSCsr21305 File should be deleted from the local packages list after the upgrade.
CSCsr21526 pnupgrade permission is set wrong while upgrade from 5.3.5 to 6.0.1
CSCsr23290 Can get into a new installed MARS box without License Key
CSCsr23815 Bottom Apply button in IPS TR/RR query screen isn’t aligned properly
CSCsr24404 "Download Connection Information" view source reveals CCO password
CSCsr24463 DSF - Spelling mistakes in the DSF encryption popup
CSCsr25043 Issue in event parsing when ACS SW is added to host with othr sec apps
CSCsr25103 Unknown device event type in ACS 4.x
CSCsr27905 Issue with registry settings for pnLogAgentService
CSCsr28636 Upgrade GC and LC at same time can fail on LC
Reference Number Description
36Release Notes for Cisco Security MARS Appliance 6.0.1
OL-MARS-RN
Caveats
CSCsr28639 MARS-435-601 migration raw msg index file not created
CSCsr28645 Remove Upgrade GUI timeout limit for file download
CSCsr28664 MARS-pnparser improvements for time function call
CSCsr28684 Time function is using much CPU in process_event_srv
CSCsr29515 raw msg retrieval, error msg should be more clear
CSCsr32150 DSF- Pink box in device support package page after migration
CSCsr32196 Parse Message ID to help sessionize ACS 4.x events
CSCsr35511 DSF- some typo in a few syslog raw msgs
CSCsr36915 P -> E is not working for IPS 5.1 device
CSCsr38680 Don’t log cert error for image upgrade download
CSCsr40542 Event missing after migration from 4.3.5 to 6.0.1
CSCsr40604 Secure syslog: 2nd reporting IP changes"Client Authentication" to YES
CSCsr42220 high rate IPS eps causes pnesloader crashed
CSCsr44042 File size displays 0 if upgrade package is loaded from a local server.
CSCsr44278 cannot pull iplogs after changing ips certificate
CSCsr45199 Inactive device event for devices with manager-agent based architecture
CSCsr45295 Detailed NAC Report not working with Secure ACS Auth failed: External DB
CSCsr46599 Keyword Query JNI code floods janus_log
CSCsr47032 Report results are audit logged
CSCsr49381 Upgrade change needed for CSCsr47032 - Report results audit logged
CSCsr49920 pnesloader killed by cpu-checker
CSCsr50331 csips getting killed by check-CPU handler
CSCsr50755 Issue with system reports.
CSCsr51537 5.3.5 to 6.0.1 upgraded MARS shows empty PCI DSS compliance report grp.
CSCsr51563 PCI-DSS03 report group contents not correct for 2 reports.
CSCsr51653 user should not be allowed to edit catalog polling URL
CSCsr51975 FTP download failure does not tell the reason of failure.
CSCsr53241 Intrushield sensor IP is not added if it exists in IP Management
CSCsr54091 DSF- an overriden system DET become an extend DET after import
CSCsr54732 import process should show the status on new ssh session
CSCsr55244 McAfee ePO 4.0 Seed file import IP Address issues because of ePO Defects
CSCsr58480 DSF- special chars convert issue when add rule/report/event group
CSCsr59097 DSF- failed to upload data package to Mars Forum
CSCsr59972 two menu bar while discovering wlc device
CSCsr61038 Exported 5.3.X data not imported on 6.0.1 machine
CSCsr61404 export help syntax contains reference to {nfs_path} only
CSCsr64225 Import data process stops while building raw message indexes
Reference Number Description
37Release Notes for Cisco Security MARS Appliance 6.0.1
OL-MARS-RN
Product Documentation
Resolved Caveats —Releases Prior to 6.0.1For the list of caveats resolved in releases prior to this one, see the following documents:
• http://www.cisco.com/en/US/products/ps6241/prod_release_notes_list.html
Product DocumentationFor the complete list of documents supporting this release, see the release-specific document roadmap:
• Cisco Secure MARS Documentation Guide and Warranty
http://www.cisco.com/en/US/products/ps6241/products_documentation_roadmaps_list.html
Lists document set that supports the MARS release and summarizes contents of each document.
CSCsr65736 Securesyslog - Tune sharedbuffer size per model
CSCsr67114 pnesloader killed by superV memCheck
CSCsr73132 Error message seen in case of detailed NAC report
CSCsr74553 rm/ix/es files lost in creation of archive
CSCsr75234 Reports GUI is broken for operator users
CSCsr75604 New upgrade package report should not show the word "Exchange".
CSCsr78881 error reported by csips during archive/restore
CSCsr81796 DSF- empty content in ’ ’ when the pkg is not available
CSCsr82291 DSF- ET group in the rule filter lost after LC added to the GC
CSCsr85545 IPS Dynamic Sig Update - sticks in "downloading" state on redirect
CSCsr90763 MARS IPS performance - processing low percentage of IPS events
CSCsr94031 Statistics synchronization causes array out of bounds exception
CSCsr94248 Cannot download from CCO - Catalog URL in an empty string
CSCsr96430 hostname is reset to "pnmars" after upgrading from 5.3.6->6.0.1
CSCsr96773 intermittent error while downloading a package from CCO.
CSCsr99577 Source and Dest IP reported as N/A in NetScreen 6.0 Events
CSCsu03332 DSF-pnparser restarted after sending a SNMP trap for extend data& parser
CSCsu09821 Intrushield Sensor name field is mandatory while adding sensor
CSCsu27807 pnarchiver ERROR while processing IPS events
CSCsu32145 Device event type not inserted on 5.3.6->6.0.1 upgrade
CSCsu36301 Gen-1 Hotswap add/remove accepts disk 0 but does not accept last disk
CSCsu43079 catalog polling URL is null after we select polling interval non never.
CSCsu46527 package polling interval NEVER can not be changed
CSCsu47322 KeywordQuerySrv is not running after migration from 4.3.6 to 6.0.1
CSCsu51373 src ip ranking query in GC shows only one entry
Reference Number Description
38Release Notes for Cisco Security MARS Appliance 6.0.1
OL-MARS-RN
Obtaining Documentation, Obtaining Support, and Security Guidelines
• For general product information, see:
http://www.cisco.com/go/mars
Obtaining Documentation, Obtaining Support, and Security Guidelines
For information on obtaining documentation, obtaining support, providing documentation feedback, security guidelines, and also recommended aliases and general Cisco documents, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
39Release Notes for Cisco Security MARS Appliance 6.0.1
OL-MARS-RN
Obtaining Documentation, Obtaining Support, and Security Guidelines
40Release Notes for Cisco Security MARS Appliance 6.0.1
OL-MARS-RN